Skip to main content
kcheung
Staff
kcheung
Staff
October 11, 2024

FortiGuard Outbreak Alert: Russian Cyber Espionage Attack

  • October 11, 2024
  • 0 replies
  • 959 views
Description

FortiGuard Labs have observed the following vulnerabilities being exploited as outlined in the CISA advisory published about Russian military cyber actors

 

CVE-2020-1472, also known as “Zerologon”, is an elevation of privilege vulnerability which allows attackers to establish a vulnerable NetLogon Session with a Domain Controller to gain administrative privileges.

 

CVE-2021-3156 is a heap-based buffer overflow vulnerability in sudo (Linux) that allowed attackers to gain root privileges on a vulnerable host

The following versions of Sudo are affected:

  • All legacy versions from 1.8.2 to 1.8.31p2
  • All stable versions from 1.9.0 to 1.9.5p1

 

CVE-2021-26084 is an OGNL injection vulnerability in Confluence Server and Data Center which allows attackers to execute arbitrary code.

The following version are affected:

  • Version < 6.13.23
  • 6.14.0 ≤ Version < 7.4.11
  • 7.5.0 ≤ Version < 7.11.6
  • 7.12.0 ≤ Version < 7.12.5

 

CVE-2022-26134 is an OGNL injection vulnerability in Confluence Server and Data Center which allows attackers to execute arbitrary code.

The following version are affected:

  • 1.3.0 ≤ Version < 7.4.17
  • 7.13.0 ≤ Version <  7.13.7
  • 7.14.0 ≤ Version <  7.14.3
  • 7.15.0 ≤ Version <  7.15.2
  • 7.16.0 ≤ Version <  7.16.4
  • 7.17.0 ≤ Version <  7.17.4
  • 7.18.0 ≤ Version <  7.18.1

 

CVE-2022-2613 is a hard-coded credential vulnerability in Confluence Server and Data Center.

The Atlassian Questions For Confluence app creates a hardcoded username and password user.

This allowed attackers with knowledge of the hardcoded password to login into Confluence and access all content accessible to users in the confluence-users group.

The following versions have the fix:

  • Update Questions for Confluence app to a fixed version: 2.7.x >= 2.7.38 OR Versions >= 3.0.5

 

CVE-2022-3236 is a code injection vulnerability in User Portal and Webadmin in Sophos Firewall which allowed attackers perform remote code execution:

The following version are affected:

  • ≤ v19.0 MR1 (19.0.1)

 

CVE-2021-33044/CVE-2021-33045 is an authentication bypass vulnerability in Dahua products during the login process. Dahua is a company which specializes in video surveillance equipment.

Refer to the following links for affected versions:

 

For more information on Russian Cyber Espionage Attack, refer to the following advisory published by CISA:

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a
CVE ID

CVE-2020-1472 (https://nvd.nist.gov/vuln/detail/CVE-2020-1472)

CVE-2021-3156 (https://nvd.nist.gov/vuln/detail/CVE-2021-3156)

CVE-2021-26084 (https://nvd.nist.gov/vuln/detail/CVE-2021-26084)

CVE-2022-26134 (https://nvd.nist.gov/vuln/detail/CVE-2022-26134)

CVE-2022-26138 (https://nvd.nist.gov/vuln/detail/CVE-2022-26138)

CVE-2022-3236 (https://nvd.nist.gov/vuln/detail/CVE-2022-3236)

CVE-2021-33044 (https://nvd.nist.gov/vuln/detail/CVE-2021-33044)

CVE-2021-33045 (https://nvd.nist.gov/vuln/detail/CVE-2021-33045)

NDR Cloud Detection Rule

FortiNDR Cloud v2024.9+

Detection Rule Name

Category

Primary MITRE ID

Netlogon Elevation of Privilege - CVE-2020-1472

Attack: Exploitation

T1190 - Exploit Public-Facing Application

Sudo Heap overflow CVE-2021-3156

Attack: Exploitation

T1548 - Abuse Elevation Control Mechanism

Atlassian Confluence OGNL Injection RCE - CVE-2021-26084

Attack: Exploitation

T1190 - Exploit Public-Facing Application

Atlassian Confluence OGNL Injection - CVE-2022-26134

Attack: Exploitation

T1190 - Exploit Public-Facing Application

Atlassian Confluence Questions add-on Hardcoded credentials - CVE-2022-26138

Attack: Exploitation

T1190 - Exploit Public-Facing Application

Sophos Firewall User Portal and Webadmin Code Injection - CVE-2022-3236

Attack: Exploitation

T1190 - Exploit Public-Facing Application

Dahua NVR HTTP Authentication Bypass - CVE-2021-33044/CVE-2021-33045

Attack: Exploitation

T1190 - Exploit Public-Facing Application

Playbook

 N/A

Threat Hunting

FortiNDR Cloud users can use the following IOCs from Fortinet to hunt for “Russian Cyber Espionage Attack” related activities  
IOC source: https://www.fortiguard.com/outbreak-ioc?tag=russian%20cyber%20espionage

All IOCs listed above have been added to Threat Intelligence Intel

Suricata Coverage

Customers can create custom investigation/detections using the Suricata signatures below:

2030871 -> ET EXPLOIT Possible Zerologon NetrServerAuthenticate with 0x00 Client Credentials (CVE-2020-1472)

2030888 -> ET INFO [401TRG] RPCNetlogon UUID (CVE-2020-1472) (Set)

2030870 -> ET EXPLOIT Possible Zerologon Phase 1/3 - NetrServerReqChallenge with 0x00 Client Challenge (CVE-2020-1472)

2035259 -> ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate2 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M2

2035263 -> ET EXPLOIT Zerologon Phase 3/3 - NetrLogonSamLogonWithFlags Request with 0x00 Client Credentials (CVE-2020-1472)

2035258 -> ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate2 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M1

2035260 -> ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate3 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M1

2035261 -> ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate3 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M2

2035262 -> ET EXPLOIT Zerologon Phase 3/3 - Malicious NetrServerPasswordSet2 (CVE-2020-1472)

Other Fortinet Products

For more details regarding mitigating the vulnerability by utilizing Fortinet products, please refer to
https://www.fortiguard.com/outbreak-alert/russian-cyber-espionage
    Terms & ConditionsAccessibility statement